Oct 10, 2022 6 min read Azure Arc

Azure Arc - Add servers from Azure Update Management

Azure Arc Agent Deployment

One of the great things about Azure Arc is that you have various options for deploying the agent on your servers. These can be virtual machines or physical servers. In every Azure Arc project, we need to analyze and discuss with the customer how to do the agent onboarding and what processes we need to set up. We can split this task into two different phases:

Initial agent deployment
New server provisioning process

This post shows you how to install the agent through the Azure Automation Update Management feature.

💡

Are you ready to take your on-premises servers to the next level with Azure Arc? Contact me today and let me help you implement Azure Arc for your servers and unlock the full potential of your hybrid infrastructure.

Currently, there are several ways to deploy the agent, including:

Using a deployment script
- This approach is for smaller environments
Using a service principle
- This option is suitable for large-scale deployments
Using Azure Update Management
- This option is good for the existing Azure Update Management customers. In this case, you already have the Microsoft Monitoring Agent installed on your servers.
Using Az.ConnectedMachine PowerShell module
- I like this one as well. You can build up your custom installation script with different logic for tagging etc. Good for large-scale deployments as well
Using Desired State Configuration
- Suppose you are using Azure Automation DSC or an on-premises version of DSC. In that case, this may also be good in large-scale deployment scenarios.
Using a Script feature in Configuration Manager
Using a Group Policy
Using Windows Admin Center
Using a Custom Task Sequence in Configuration
- Suitable for large-scale deployments. You can customize the deployment based on different conditions and needs.

As you see from this list, you have plenty of agent deployment methods. Pick and choose the one that suits you the best.

What is Azure Automation Update Management?

Azure Update Management is a cloud-based service that manages and deploys updates for Windows and Linux computers. It helps reduce the time and effort needed to keep systems up-to-date with the latest security patches, hotfixes, service packs, and more. With Update Management, IT administrators can easily discover which servers need to be updated, create deployment plans for rolling out those updates orderly, review reports on patch compliance across their environment, and receive notifications when new updates become available. This provides a comprehensive solution for quickly and reliably keeping your systems secure while minimizing disruption to operations.

Update Management also integrates with Azure Log Analytics, storing all data in the same Workspace. This makes it easier for us to create Workbooks, Alerts, Automation etc.

There are many customers who are using Azure Update Management today, and based on my experience, it is the easiest way to roll out the Azure Arc-Enabled Servers agent.

From the above screenshot, you can see that we have one server connected with Azure Update Management.

If you are already an experienced administrator around Azure Update Management, you have noticed that Microsoft uses the Patch-MicrosoftOMSComputers runbook for patching.

Microsoft fully manages this runbook, and you don't have any access to that. It is also a special and hidden runbook because it can run directly on your servers under the system runbook hybrid worker. If you create a custom PowerShell runbook for yourself, then you cant do the same. You can only run the runbooks using the Azure Automation Runbook Hybrid Workers that you have deployed and belong to the Runbook Worker groups.

Now with Azure Arc, Microsoft introduces another new master runbook called Add-AzureConnectedMachines. Microsoft fully manages this runbook and can also run on your servers directly.

Requirements

To deploy Azure Arc agent through Azure Update Management, you need the following:

Azure Log Analytics Workspace
Microsoft Monitoring Agent should be installed and configured on your servers
Azure Automation Account
Azure Update Management solution activated
Automation Job Operator role permissions
Permissions to create Service Principals
Permissions to manage Resource Group / Subscription permissions

💡

Before you continue, make sure to take some time and think through how many resource groups you want to create for Azure Arc servers. You can onboard all the servers into a single resource group or split them into multiple ones based on the administration model, location, services, etc. It is also fully supported in moving Azure Arc resources to other resource groups.

Azure Arc agent deployment through Update Management

Rolling out the Azure Arc Connected Machine Agent using the Update Management goes through the following process:

Automatically creates Azure Active Directory Service Principal. It uses this for authentication and onboarding. The main Azure Arc configuration panel shows all the service principals.

Azure Active Directory Service Principals for Azure Arc

Using other agent deployment methods, you can create Service Principals through the UI, PowerShell, or Azure CLI. But in this case, everything will be taken care of for you.

Installs the Connected Machine Agent
Onboards the server to Azure Arc service

You can install the Azure Arc-enabled server agent on one or multiple virtual machines or physical servers that use Windows or Linux operating systems. These machines may be on-premises or in another cloud environment but must be managed through Azure Automation Update Management.

Follow the steps to deploy the agent through Update Management for the hybrid machines. These steps should not trigger any reboots. If you have many servers, you can phase them into multiple smaller groups.

Open Azure Portal (portal.azure.com ) and search for Azure Arc
On the Azure Arc panel, choose Add your infrastructure for free
Select Servers
On the Add servers with Azure Arc panel, select Add servers from Update Management (preview)
On the Add servers from Update Management page, specify the following information:
a. Subscription
b. Resource Group
c. Region
d. SPN
e. Connectivity Method
- Public endpoint
- Proxy Server
- Private Endpoint
On the Servers page, click +Add Servers and choose the servers you want to add
On the Authentication page, choose Create a new service principal. If you select use the existing one, then you need to specify the Service Principal and enter the Client Secret.
Specify the Tags
Review the deployment information and click Add

These steps kick off the Add-AzureConnectedMachines runbook. If it is Windows server-based operating system, you see that it executes the child runbook called Add-AzureConnectedMachineWindows. If you also selected Linux servers, you see the Add-AzureConnectedMachineLinux runbook. Both of these runbooks will be executed under the system Hybrid Runbook Worker.

Agent Deployment through Azure Update Management

There are two different types of Runbook Workers:

User - Custom runbooks that you can execute through the Azure Automation Hybrid Runbook Workers. You can create your own Runbook Worker groups for different datacenters etc. For each Runbook Worker Group, you need at least one virtual machine. You can deploy this through the Azure Arc Extensions.
System - Fully managed and hidden runbooks by Microsoft. These can be executed directly on the servers.

References

Summary

💡

What is Azure Automation Update Management?

Requirements

Azure Arc agent deployment through Update Management

References

Summary

You might also like...

Maximizing Your Security with Azure Update Management

Unlocking the Power of Microsoft Sentinel SIEM: Features and Benefits

Azure Automation Hybrid Runbook Worker: A Game Changer for IT Operations

Azure Arc-Enabled Servers: Frequently Asked Questions

KQL Query - Azure Arc-enabled Servers Resource Health